Systems and methods for secure automated network attachment

ABSTRACT

A method for automatically attaching a purpose-built electronic device to a provider network includes steps of discovering, by a Wi-Fi module of the purpose-built electronic device, a wireless data network in operable communication with the provider network selecting, by the Wi-Fi module, the wireless data network, transmitting a primary authentication certificate from the Wi-Fi module to an authentication, authorization, and accounting server of the provider network, receiving, by an application server of the provider network, a secondary authentication certificate from a functionality module of the purpose-built electronic device authenticating, by the provider network, the primary and secondary authentication certificates, and attaching the purpose-built device to the provider network.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.15/419,853, filed Jan. 30, 2017, which claims the benefit of andpriority to U.S. Provisional Patent Application Ser. No. 62/288,535,filed Jan. 29, 2016, both of which are incorporated herein by referencein their entireties.

BACKGROUND

The field of the disclosure relates generally to management of computernetworks, and more particularly, to associating and provisioningwireless devices over such networks.

Some conventional Wi-Fi architectures utilize a Cloud for MobileInteractive (C4MI) platform for networks employing an enterprise system.In a healthcare provider facility, such as a hospital or clinic, awireless network implements a multi-layer network allowing differenttypes of network traffic to be securely separated from each other onseparate layers. For example, clinical data from medical devices isseparated from enterprise data for management administration, and alsois separated from guest or visitor data for Internet access traffic. Themultiple network layers can further be segmented by frequency or channelto ensure sufficient bandwidth, quality of service, or reliability tosupport the applications using that network layer. The C4MI Wi-Fiplatform may utilize a network geometric design layout, for example, a“Tholian Web” Wi-Fi geometric design/implementation. The geometricdesign and implementation of C4MI provides a foundation for placement ofWi-Fi access points (APs) and segregation of data traffic over thenetwork (e.g., clinical, enterprise, guest, etc.).

A hotspot is a wireless local area network (LAN) node that providesInternet connection and virtual private network (VPN) access from aparticular location for wireless devices with connectivity. Typically, awireless device user manually connects to a hotspot by searching forvisible wireless connection options, selecting one of the options, andthen entering authentication information (e.g., a password) to connect.Wi-Fi Alliance (WFA) Passpoint™, also known as Hotspot 2.0™, or just“Passpoint,” includes a set of protocols which allow a wireless deviceuser to streamline network access in hotspots and eliminate the need tofind and authenticate a network each time the device connects. A“Passpoint device” refers to an electronic device that passescertification testing based on WFA Hotspot 2.0. Passpoint includescertificate-based authentication mechanisms that provide automatednetwork discovery and attachment on secured service set identifiers(SSIDs). Passpoint supports roaming within and across networks.Over-the-network device provisioning is accomplished with a standard WFAcertified interface, and is based on the Access Network Query Protocol(ANQP).

Passpoint is used in a Wi-Fi network to select a wireless network SSIDbased on parameters such as 802.11 media access control (MAC) layermessages. Domain names or other identifiers, such as consortium ID, aswell as preferred or excluded networks can also identify the wirelessnetwork. Additionally, network loading and available backhaulconnectivity can be used for network selection decisions made by clientdevices. Devices utilizing Passpoint query Passpoint SSIDs for networkroaming capabilities using 802.11 MAC layer messages. Wireless devicesselect an SSID based on one or a combination of (i) support for theirprovider realm (e.g., “@hospital.com”), (ii) supported consortium IDs(e.g., “HealthcareWiFi”), (iii) mobile network operator (MNO)identifiers, and (iv) SSID names, preferred or excluded. Network loadingand available backhaul connectivity can also be used for networkselection decisions. Passpoint does not presently though, provide deviceaccess across multiple tiers of a network. With wireless medical devicesin particular, other networks (such as those not part of a particular orhospital network) may not be accessible by the wireless medical device.Accordingly, portable wireless medical devices may not be able tocommunicate through a wireless network outside of the particularclinical network for which they are configured.

BRIEF SUMMARY

In an embodiment, a method for automatically attaching a purpose-builtelectronic device to a provider network includes steps of discovering,by a Wi-Fi module of the purpose-built electronic device, a wirelessdata network in operable communication with the provider networkselecting, by the Wi-Fi module, the wireless data network, transmittinga primary authentication certificate from the Wi-Fi module to anauthentication, authorization, and accounting server of the providernetwork, receiving, by an application server of the provider network, asecondary authentication certificate from a functionality module of thepurpose-built electronic device authenticating, by the provider network,the primary and secondary authentication certificates, and attaching thepurpose-built device to the provider network.

In an embodiment, a system for automated attachment of wirelesselectronic devices, includes a first purpose-built electronic device anda provider subsystem. The first purpose-built electronic device includesa Wi-Fi module and a functionality module. The provider subsystemincludes an authentication, authorization, and accounting server forverifying a primary authentication certificate from the Wi-Fi module,and an application server for verifying a secondary authenticationcertificate from the functionality module.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other features, aspects, and advantages of the presentdisclosure will become better understood when the following detaileddescription is read with reference to the accompanying drawings in whichlike characters represent like parts throughout the drawings, wherein:

FIG. 1 is a schematic illustration of an exemplary network attachmentsystem, according to an embodiment.

FIG. 2 is a schematic illustration of an alternative network attachmentsystem, according to an embodiment.

FIG. 3 illustrates an exemplary flow process for device provisioning,according to an embodiment.

Unless otherwise indicated, the drawings provided herein are meant toillustrate features of embodiments of this disclosure. These featuresare believed to be applicable in a wide variety of systems including oneor more embodiments of this disclosure. As such, the drawings are notmeant to include all conventional features known by those of ordinaryskill in the art to be required for the practice of the embodimentsdisclosed herein.

DETAILED DESCRIPTION

In the following specification and claims, reference will be made to anumber of terms, which shall be defined to have the following meanings.

The singular forms “a,” “an,” and “the” include plural references unlessthe context clearly dictates otherwise.

“Optional” or “optionally” means that the subsequently described eventor circumstance may or may not occur, and that the description includesinstances where the event occurs and instances where it does not.

Approximating language, as used herein throughout the specification andclaims, may be applied to modify any quantitative representation thatcould permissibly vary without resulting in a change in the basicfunction to which it is related. Accordingly, a value modified by a termor terms, such as “about,” “approximately,” and “substantially,” are notto be limited to the precise value specified. In at least someinstances, the approximating language may correspond to the precision ofan instrument for measuring the value. Here and throughout thespecification and claims, range limitations may be combined and/orinterchanged; such ranges are identified and include all the sub-rangescontained therein unless context or language indicates otherwise.

The embodiments herein describe and illustrate a system and method forsecure, automated network discovery and attachment of a wireless deviceto a network, and particularly on multiple-layer, enterprise wirelessnetworks, including without limitation, Wi-Fi networks. The embodimentsdescribed below are featured primarily in the context of healthcareproviders and medical devices utilizing Wi-Fi networks. However, aperson of ordinary skill in the art, after reading and comprehending thewritten disclosure and accompanying drawings, will understand how theprinciples described herein are applicable to enterprise environments ingeneral which utilize wireless network technology.

The embodiments described herein further disclose how securecredentials, including without limitation, X.509 certificates, may beused for device authentication of both general purpose devices (e.g.,smart phones, tablets, personal computers, etc.) and purpose-builtdevices (e.g., medical devices) which may not have user interfacecapability for making manual network selection and for manually enteringcredentials (such as username and password) for secure authentication.According to the embodiments herein, a particular automated networkdiscovery and attachment scheme of a particular provider, such as ahospital/clinical setting, could be extended to remote locations, suchas a medical patient's home, thereby providing the same level of secureautomated network selection and attachment at the remote setting as maybe realized in the provider network setting. Accordingly, irrespectiveof the wireless setting, purpose-built devices may avoid a sign-onprocess to automatically and securely attach to and be authenticated bythe appropriate network (which may be remote from the AP of theparticular device) without human intervention or requiring a user nameand password.

In an exemplary embodiment, Passpoint is overlaid with a C4MIimplementation to provide a robust security layer. Passpoint, forexample, supports several types of security credentials. According tothe embodiments disclosed herein, other wireless networks may use othertypes of security credentials, but may apply processes and schemes forsecure, automated network attachment and authentication. Credential setswhich may be compatible with Passpoint include, without limitation,device or user certificates, such as Extensible Authentication Protocol(EAP) and EAP Transport Layer Security (EAP-TLS), or a mutualauthentication between network and device using certificate. EAPgenerally requires a certificate from a Certificate Authority (CA) forthe device to certify the network.

User names with passwords can also be utilized with Passpoint ascredential sets. In this example, the credential set may utilize,without limitation, EAP Tunneled Transport Layer Security (EAP-TTLS)with Microsoft Challenge Handshake Authentication Protocol version 2(MSCHAPv2). EAP-TTLS provides authentication similar to EAP-TLS, butdoes not require that each user be issued a certificate. Instead, onlythe authentication servers are issued certificates. Such credential setsotherwise generally require a CA certificate for the device to certifythe network. Utilization of these credential sets allow the system tomitigate “man-in-the-middle” attacks and malicious APs, and the devicedoes not allow a user to bypass network authentication or accept anunknown CA certificate if compliant to Passpoint specifications. Othercredentials supported by Passpoint include, without limitation, EAP-TTLSPassword Authentication Protocol (PAP), Subscriber Identity Module (SIM)based credentials for mobile operators, such as EAP Subscriber IdentityModule (EAP-SIM), EAP Authentication and Key Agreement (EAP-AKA), andEAP Authentication and Key Agreement prime (EAP-AKA′).

FIG. 1 is a schematic illustration of an exemplary network attachmentsystem 100. System 100 includes a provider subsystem 102 to which afirst electronic device 104 wirelessly connects. Provider subsystem 102includes a Wi-Fi core unit 106 including a Hotspot 2.0 online signup(OSU), which is an open SSID giving the ability for wireless clients toconnect to the secure hotspot service by signing up and downloading acustom profile. According to the example illustrated in FIG. 1, providersubsystem 102 represents a medical or clinical setting, and furtherincludes an authentication, authorization, and accounting (AAA) server108 and an application server 110. Wi-Fi core unit 106 communicativelyconnects with AAA server 108, an AP 112, and an electronic network 114.Electronic network 114 is, for example, the Internet, a Cloud-basednetwork, or another form of electronic network, such as a LAN or WAN. AP112 is, for example, configured to transmit and receive data over PublicOpen, Clinical Secure, and Enterprise Secure layers within providersubsystem 102. Communicative connections from Wi-Fi core unit 106 may bewireless, or wired, e.g., cable or Ethernet.

First electronic device 104 includes a first Wi-Fi module 116 and afirst functionality module 118. As shown in the exemplary embodiment,first Wi-Fi module 116 represents a USB Wi-Fi module which communicateswith functionality module 118 over an electrical connection 120, whichis, for example, a USB, Ethernet, or compact flash connection or theequivalent. First functionality module 118 includes at least oneprocessor (not shown) for executing the functions particular to firstelectronic device 104, and for transmitting/receiving electronic datato/from first Wi-Fi module 116 over electrical connection 120. In theexemplary embodiment, first electronic device 104 is a medical devicelocated within the transmission range of AP 112 of provider subsystem102, and first Wi-Fi module 116 wirelessly communicates with AP 112 atthe Clinical Secure layer of provider subsystem 102, as describedfurther below.

In an embodiment, system 100 further includes a second electronic device122, having a second Wi-Fi module 124 and a second functionality module126. In this example, second electronic device 122 is also a medicaldevice, but differs from first electronic device 104 in that secondWi-Fi module 124 is integral to second electronic device 122. Secondelectronic device 122 is similarly located within the transmission rangeof provider subsystem 102 and wirelessly communicates with AP 112 at theClinical Secure layer of provider subsystem 102. In an embodiment,system 100 further includes an enterprise Wi-Fi client 128 and a visitorWi-Fi client 130. Both enterprise Wi-Fi client 128 and visitor Wi-Ficlient 130 may represent, for example, electronic devices within thetransmission range of provider subsystem 102, such as smart phones,tablets, personal computers, or other electronic devices capable ofwirelessly connecting with AP 112. In this example, enterprise Wi-Ficlient 128 wirelessly communicates with AP 112 at the Enterprise Securelayer, and visitor Wi-Fi client 130 wirelessly communicates with AP 112at the Public Open layer.

In operation, network attachment system 100 implements a two-certificateattachment scheme for either or both of first and second electronicdevices 104, 122. Medical devices, for example, differ in how theyintegrate Wi-Fi functionality. That is, a separate Wi-Fi module (e.g.,first Wi-Fi module 116) with a standard interface, such as USB,Ethernet, compact flash, etc., is potentially removable, whereas anintegral Wi-Fi module (e.g., second Wi-Fi module 124) may include anembedded Wi-Fi chip integrated into the device itself. According to thepresent embodiments, both architectures utilize two differentcertificates: (1) a Wi-Fi certificate 132 for the USB module or integralchip to secure network attachment and HS 2.0/Passpoint implementation;and (2) a medical device functionality certificate 134 to verify thatthe medical device (e.g., 104, 122) conforms to C4MI requirements forinteroperability. In an exemplary embodiment, Wi-Fi certificate 132 isprovisioned at manufacture of the particular electronic device.Alternatively, Wi-Fi certificate 132 is provisioned at the care provider(e.g., provider subsystem 102). In the exemplary embodiment, medicaldevice functionality certificate 134 is installed at the time ofmanufacture of the particular device.

As shown in the exemplary embodiment, multiple layers (e.g., PublicOpen, Clinical Secure, Enterprise Secure, etc.) are used in a clinicalor hospital setting. The two-certificate approach described hereinthough will be understood to be adaptable to different wireless networksor enterprises that support multiple network layers. As describedherein, purpose-built devices, such as medical devices, have securitycredentials inserted into the device at the time of manufacture toprovide a higher level of security. A trust authority can be used toissue these security credentials to further increase the security level.In contrast, general-purpose devices, such as smart phones, tablets,personal computers, etc., that are commercially available generally donot have application specific security credentials installed at the timeof manufacture. These general-purpose devices may use an OSU process toprovision the security credentials necessary for automatic networkattachment. How and when particular security credentials are provisionedmay be determined by the respective network/enterprise according to itsown policies. The exemplary embodiments herein are described withrespect to medical devices. However, the disclosed attachment andprovisioning systems and methods are applicable to other purpose-builtdevices.

In the exemplary embodiment, general-purpose devices used by doctors orhospital staff (e.g., enterprise Wi-Fi client 128) are provisioned toenable an automatic attachment to the appropriate enterprise network(e.g., at AAA server 108) through a Passpoint/Hotspot 2.0 primaryauthentication 136. For automatic attachment, individuals are able toauto-attach wireless devices across work groups, campuses and partnersof provider subsystem 102 through primary authentication 136. In thisexample, hospital administrators and/or management are also enterpriseWi-Fi client 128 devices, and follow a similar automatic attachmentprocess by primary authentication 136, but may attach to a separateenterprise network, such as a second Enterprise Secure layer of providersubsystem 102. In the exemplary embodiment, visitor Wi-Fi clients 130(i.e., general-purpose devices of visitors to the hospital of providersubsystem 102) would attach to a separate layer (e.g., Public Openlayer) of subsystem 102, and would not be permitted to access any of theClinical Secure or Enterprise Secure layers.

In an embodiment, network attachment system 100 is further configured toimplement procedures regarding OSU of new authorized users, and deviceprovisioning for new devices (e.g., tablets, smart phones, personalcomputers, etc.) of existing authorized users. An exemplary procedurefor the embodiment shown in FIG. 1 may include one or more PasspointSSIDs advertising an operator-friendly name (e.g., a care providerrealm, a consortia ID, etc.) and OSU capabilities (e.g., of Wi-Fi coreunit 106). After the operator-friendly name is presented to the userdevice, the user may select the operator name, and the device willassociate to the OSU SSID and be directed to a provisioning server. Asubscription is then created for new users, and the particular device isprovisioned for secure SSID settings and an operator-driven networkselection policy. Once the OSU process is complete, the user's devicethen performs network selection and attaches to the network. Accordingto this procedure set, one operator cannot overwrite the subscription ofanother, and when multiple subscriptions are provisioned, the user isable to select a preferred operator.

With respect to Wi-Fi certificate 132 and medical device functionalitycertificate 134, network attachment system 100 may accommodate theimplementations of two such sets of security credentials utilizing X.509certificates, for example. Thus, Wi-Fi certificate 132 provides securitycredentials for the Wi-Fi network interface itself, whether separate orintegrated, which secures the network selection and attachment,verifying the Passpoint implementation. Medical device functionalitycertificate 134 allows for a secondary authentication 138 of the medicaldevice functionality (e.g., of functionality modules 118, 126) to theappropriate network server (e.g., application server 110) to validatethat the medical device conforms to the required interoperability andsecurity requirements (C4MI in this example). Secondary authentication138 thus validates that the device functionality, separately from itsWi-Fi accessibility, is a trusted implementation. Secondaryauthentication 138 therefore provides a further preventative measureagainst attack on the network from a malicious device. In other words,in a clinical setting, the secondary authentication 138 advantageouslyassures that the device is a valid medical device and not a potentialnetwork attack from a general-purpose device or a compromisedpurpose-built device.

In an exemplary embodiment, in order to further raise the level ofassurance, security credentials are issued from a trusted authority andproperly installed into the devices, either at the point of manufactureor securely provisioned using standard provisioning interfaces. It maybe necessary for purpose-built devices that have not yet been certifiedto place trust on the Wi-Fi module and certificate. In such anembodiment, some other attestable method may be used to verify thepurpose-built device to which the module is attached or in which themodule is embedded.

According to the exemplary embodiment illustrated in FIG. 1, a two-phaseauthentication process is implemented for one or more purpose-builtdevices (e.g., devices 104, 122). In the first phase of authentication,the respective Wi-Fi module (e.g., module 116, 124) attaches to theappropriate wireless network (e.g., the clinical data network of theClinical Secure layer). In the second phase of authentication, therespective purpose-built functionality portion (e.g., module 118, 126)of the device authenticates with the appropriate data network server(e.g., application server 110) to verify that the device is a validpurpose-built device and operates properly with the data network, suchas a medical device with a clinical network, or C4MI requirements in theexemplary system illustrated in FIG. 1.

In an alternative embodiment, secondary authentication 138 is notlimited to only wireless connections, but may also be implemented withrespect to wired connections, such as Ethernet. In one example, amedical device is connected to a clinical data network by Ethernetconnection, and the two-phase authentication scheme, described above, isimplemented. In the first phase, AAA server 108 utilizes Wi-Ficertificate 132 to authenticate the Wi-Fi module (e.g., module 116, 124)for access to the appropriate Wi-Fi network. In the second phase ofauthentication, the medical device functionality certificate 134 isauthenticated by application server 110 using an appropriate protocol,for example, Protocol for Carrying Authentication for Network Access(PANA), Hypertext Transfer Protocol (HTTP) over TLS (HTTPS), or InternetProtocol Security (IPsec).

According to the embodiments described herein, network attachment system100 is particularly advantageous to health care networks or clinicalsettings using layered wireless communications. According to theembodiment illustrated in FIG. 1, Passpoint/Hotspot 2.0 is implementedtogether with C4MI and/or TLS mutual authentication to create amulti-tiered secured network having Wi-Fi access available to not onlymedical devices, but also devices of health care specialists,administration and management devices, and open SSID visitor networkswith sign-in portals. According to the embodiment of FIG. 1, AP 112 mayadvantageously support multiple Passpoint-enabled SSIDs to securelyseparate traffic among the several user groups. Consumer devices, suchas tablets and smart phones, are able to utilize the Passpoint OSU forprovisioning of credentials and network selection (e.g., through primaryauthentication 136), and medical device vendors are able to insertfunctionality certificates at the time of manufacturing for highersecurity and automatic attachment (e.g., through both primaryauthentication 136 and secondary authentication 138) without requiringOSU. The two-phase approach thus advantageously allows the purpose-builtdevices to automatically attach and roam among access points withoutrequired user intervention. In an exemplary embodiment, primaryauthentication 136 is a Passpoint/Hotspot 2.0 authentication, andsecondary authentication 138 is a TLS mutual authentication.

Systems and methods according to the embodiment illustrated in FIG. 1present a unique system architecture which allows a care provider's AP(e.g., AP 112) to “advertise” three or more types of wireless networks,that is, an open public network for visitors, a secure clinical datanetwork for medical devices, and a secure enterprise network for theenterprise applications. In some embodiments, the plurality of accesspoints may be deployed to cover a large provider subsystem (e.g., a C4MInetwork geometric design layout), and to enable connection to the coreWi-Fi network (e.g., Wi-Fi core unit 106) and its associated OSU server.A medical device application server (e.g. application server 110) isconnected to the enterprise network, and the enterprise network is alsoattached to the Internet (e.g., electronic network 114). As illustratedin FIG. 1, at least four types of clients may access system 100:enterprise Wi-Fi client 128 that uses Passpoint to attach to the secureenterprise network; visitor Wi-Fi client 130 that uses the open publicnetwork for Internet access while visiting the facility; and at leasttwo medical devices (e.g., 104, 122) that connect to the secure clinicaldata network with the second set of security credentials (e.g. medicaldevice functionality certificate 134) for authentication as validmedical devices.

This novel approach is of particular value with respect to medicaldevices being utilized by patients who are often unable to manage an OSUprocess. A medical device, for example, may be configured to access aparticular clinical network, but will often be unable to access adifferent network without first going through some level of setup by askilled technician, even though different networks may be able torecognize the presence of the medical device, including push informationtransmitted by the device. Conventional single-tiered networks requireeach type of device (e.g., visitor, enterprise, purpose-built) toseparately be provisioned, select, and attach to the particular networklayer (e.g., Public Open, Enterprise Secure, Clinical Secure) in whichthat device operates. The two-phase authentication scheme describedherein advantageously creates a multi-tiered secure network with Wi-Fiaccess available to the various devices without compromising thesecurity of a purpose-built device from the network, or the network froman unauthenticated device.

FIG. 2 is a schematic illustration of an alternative network attachmentsystem 200. Similar to system 100, described above, system 200 includesa provider subsystem 202, to which an electronic device 204 wirelesslyconnects. System 200 differs from system 100 in that electronic device204 is located at a remote setting 206, such as a subscriber or patienthome.

Provider subsystem 202 includes a Wi-Fi core unit 208 including aHotspot 2.0 OSU, an AAA server 210, and an application server to 212.Wi-Fi core unit 208 communicatively connects with at least AAA server210 and an electronic network 214, which is, for example, the Internet,a Cloud-based network, a LAN, or WAN. Provider subsystem 202 may furtherinclude an AP (not shown). Communicative connections from Wi-Fi coreunit 208 may be wireless, or wired, e.g., cable or Ethernet. Electronicdevice 204 includes a Wi-Fi module 216 and a functionality module 218.As illustrated in FIG. 2, Wi-Fi module 216 is a USB Wi-Fi module, andcommunicates with functionality module 218 over an electrical connection220. Wi-Fi module 216 is alternatively integrally configured with thearchitecture of functionality module 218, as described above withrespect to FIG. 1 (second electronic device 122). Functionality module218 includes at least one processor (not shown) for executing thefunctions particular to electronic device 204, and fortransmitting/receiving electronic data to/from first Wi-Fi module 216over electrical connection 120.

In an embodiment, remote setting 206 further includes a wireless gatewaydevice 222, which is, for example, a cable wireless gateway available ata cable subscriber's home location. Wireless gateway device 222 thusserves to function as a virtualized AP from which electronic device 204is thereby able to access a Public Open layer or network, a desiredClinical Secure layer or network, and a Subscriber Private layer ornetwork.

In operation, network attachment system 200 implements a two-certificateattachment scheme for electronic device 204, similar to that describedabove with respect to system 100 (FIG. 1), except for the remoteoperation of electronic device 204. This two-certificate attachmentscheme includes: (1) a Wi-Fi certificate 224 for Wi-Fi module 216 tosecure network attachment and HS 2.0/Passpoint implementation; and (2) adevice functionality certificate 226 to verify that electronic device204 conforms, for example, to C4MI requirements for interoperability. Inan exemplary embodiment, Wi-Fi certificate 224 is provisioned atmanufacture of electronic device 204. Alternatively, Wi-Fi certificate224 is provisioned at provider subsystem 202. In the exemplaryembodiment, device functionality certificate 226 is installed at thetime of manufacture of electronic device 204.

In further operation, wireless gateway device 222 of network attachmentsystem 200 connects with and communicates over a secure access network228, which is, for example, a cable access network. In an exemplaryembodiment, secure access network 228 communicates with an accessnetwork termination 230 of an operator headend 232, which itself isconfigured to communicate with electronic network 214 over a secure VPN234. In an exemplary embodiment, electronic device 204 is provisioned toenable an automatic attachment to the appropriate layer/network (e.g.,Clinical Secure) of AAA server 210 by a primary authentication 236 ofWi-Fi module 216 and a secondary authentication 238 of functionalitymodule 218, without requiring an OSU process, and without riskingunauthorized access to other layers of provider subsystem 202. In theexemplary embodiment, Wi-Fi certificate 224 and device functionalitycertificate 226, utilize X.509 protocols, and primary authentication 236is a Passpoint/Hotspot 2.0 authentication process, and secondaryauthentication 238 is a TLS mutual authentication process. Primaryauthentication 236 and secondary authentication 238 are transmitted 240,for example, over secure VPN 234.

System 200 therefore implements a similar method to system 100 forsecure automated network selection and attachment of a purpose-builtdevice located in a remote setting from a provider subsystem. In theexample illustrated in FIG. 2, the remote setting (e.g., remote setting206) is the home of a cable subscriber patient, and a cable operator(e.g., operator headend 232) is the access network provider (e.g.,secure access network 228) to the subscriber's home. Alternatively,different types of wired access (e.g., Digital Subscriber Line (DSL),fiber, etc.) or wireless access (e.g., Long-Term Evolution (LTE))network providers may serve as the access network provider for system200. In this example, the cable operator/access network providerprovisions a wireless gateway in the subscriber's home with the samesecure clinical data network identifiers as used in the AP of theprovider subsystem. The access network provider provisions a secure VPN(e.g., secure VPN 234) connection from the gateway (e.g., wirelessgateway device 222) to the care provider's enterprise networks through aregional network (e.g., electronic network 14). The medical device(e.g., electronic device 204) may then attach to the clinical datanetwork using the same process that is used within the transmissionrange of the provider subsystem.

According to the embodiment illustrated in FIG. 2, an access networkprovider may further provision additional wireless networks in thewireless gateway to support the subscriber's private Internet/electronicnetwork access, including a public network for community Internetaccess, and the open public network in the care provider's facilities.Alternatively, or additionally, multiple access network providers may beutilized in system 200 without departing from the scope of theembodiment. For example, a hospital may have multiple redundant Internetproviders, permitting a neutral hosting of multiple network operatorsthrough the hospital's wireless network. Subscribers of these networkoperators could then seamlessly roam onto the wireless network, forexample, using Passpoint roaming capabilities, without compromising thesecurity of different devices among the multi-tiered architecture of theprovider subsystem.

In some embodiments involving home deployments purpose-built devices,when implemented according to the 802.11-2012 specification, standard802.11 MAC signaling protocols support only one security paradigm perSSID. Accordingly, multiple SSIDs may be implemented to allow acombination of open and Passpoint, or PSK and Passpoint, securityparadigms. In other embodiments, reserved vendor proprietary fields areutilized to construct an equivalent scheme, which is then eitherstandardized, or involves vendor proprietary procedures at the deviceand AP. In an alternative embodiment, at least three SSIDs are used toseparate traffic according to the standard 802.11 MAC, without vendorproprietary signaling for open public SSIDs for guests, clinical SSIDsvia Passpoint for certified medical devices, and subscriber privateSSIDs via PSK for the subscriber. In at least one embodiment utilizingtwo SSIDs, a single Passpoint SSID, for both the subscriber privatenetwork and clinical network, may be utilized in addition to utilizationof virtual AP schemes to separate and forward traffic. In anotherembodiment, a single Passpoint SSID for the public and clinical networksis utilized for cable multiple-system operators (MSO) Wi-Fi architectureor virtual AP.

FIG. 3 illustrates an exemplary flow process 300 for provisioning of awireless electronic device 302, which may be implemented with systems100 and 200, described above. Process 300 illustrates a message exchangesequence 304 for provisioning username and password credentials towireless electronic device 302 using Security Policy Protocol (SPP), forexample, by way of an AP 306 in communication with an OSU server 308.Process 300 begins at step S310. In step S310, wireless electronicdevice 302 initiates a TLS connection to OSU server 308. In an exemplaryembodiment, step S310 is performed utilizing server-side authenticationusing HTTPS. In an alternative embodiment, separate Transmission ControlProtocol (TCP) connections (and TLS sessions) can be used for SimpleObject Access Protocol (SOAP) eXtensible Markup Language (XML) exchangesthat happen prior to and after the user interaction via a web browser.

In step S312, wireless electronic device 302 transmits, for example,sppPostDevData SOAP method to OSU server 308, which includes Devinfo andDevDetail MOs, and which may further include SessionID, requestReason,and redirectURI information. In an exemplary embodiment, a value forrequestReason is set to “Subscription registration,” indicating thedesire to register for credentials. The redirectURI information isgenerated by wireless electronic device 302, which resolves to aresource internal in the mobile device. After OSU server 308 hasreceived sufficient data to complete the registration process, OSUserver 308 redirects a web browser of wireless electronic device 302 tothe redirectURI (see step S320, below). An internal event caused byretrieval of the redirectURI resource can then be used to signal to aconnection manager (not shown) of wireless electronic device 302 thatthe registration process is complete and to proceed to step S314.

In step S314, OSU server 308 transmits a SOAP methodsppPostDevDataResponse, including a sessionID value generated by OSUserver 308 to wireless electronic device 302. In an exemplaryembodiment, the sessionID is a 128-bit random number used to bindtogether messages from a specific mobile device to OSU server 308. Thegenerated sessionID value may then be used in all subsequent SOAPmessages exchanged within flow process 300. Once the user has signaledfor subscription registration, OSU server 308 returns a command forwireless electronic device 302 to launch a browser (not shown) to theURI supplied in the message. In this example, the URI contains thegenerated sessionID value from the SOAP method's sessionID attribute. Inan exemplary embodiment, the length of the sessionID is set to minimizethe possibility an attacker could successfully guess the sessionID valueand disrupt or break the provisioning process or steal the credentialsof another wireless electronic device.

In step S316, wireless electronic device 302 transmits an HTTPS GETrequest to the URI provided in the sppPostDevDataResponse. In step S318,a user provides relevant subscription information to OSU server 308 (andselects a rate plan, if applicable). In step S320, after the exchange ofregistration data, OSU server 308 transmits a final HTTP 302 REDIRECTmessage to wireless electronic device 302. In step S322, wirelesselectronic device 302 transmits a sppPostDevData message to OSU server308 containing the sessionID and requestReason. In an exemplaryembodiment, the requestReason is set to “User input completed.”According to this example, the sessionID further advantageouslyfacilitates the use of multiple TLS tunnels and/or TCP connectionsbetween a particular wireless electronic device and OSU server 308. Forimplementation reasons, a mobile device may use more than one TLS tunneland/or more than one TCP connection throughout the message flowsequence.

In step S324, OSU server 308 transmits to wireless electronic device 302a sppPostDevDataResponse message. The sppPostDevDataResponse includesthe sessionID, an addMO command, and a PerProviderSubscription MO. Instep S326, after wireless electronic device 302 successfully adds thePerProviderSubscription MO (and other MOs, if present) to its managementtree, wireless electronic device 302 transmits to OSU server 308 ansppUpdateResponse SOAP method containing the sessionID and the sppStatusset to “OK.” In an embodiment, in the case where wireless electronicdevice 302 is not able to add the PerProviderSubscription MO (or otherMOs, if applicable), wireless electronic device 302 transmits to OSUserver 308 an sppUpdateResponse message with sppStatus set to “Erroroccurred,” and may further transmit an Error Code, and wirelesselectronic device 302 deems credential provisioning to have failed anddoes not attempt to use any credential which may have been receivedduring the message sequence illustrated in FIG. 3. Otherwise, flowprocess 300 then proceeds to step S328.

In step S328, OSU server 308 transmits to wireless electronic device 302a sppExchangeComplete SOAP method containing the sessionID withsppStatus set to “Exchange complete, release TLS connection.” In stepS330, wireless electronic device 302 utilizes HTTPS to retrieve trustanchor CA certificates for the AAA server (e.g., AAA server 108, FIG.1), a subscription remediation server, and a policy server (ifapplicable) using CertURLs in the PPS MO. In step S332, wirelesselectronic device 302 releases the TLS session established in step S310.In step S334, wireless electronic device 302 disassociates from AP 306,and in step S336, re-associates with AP 306 using newly establishedcredentials, if available.

In an exemplary embodiment of flow process 300, and individual careprovider subsystem (e.g., through OSU server 308) establishes networkselection policies and provisions certificates to wireless electronicdevice 302 (e.g., a smart phone, tablet, personal computer, etc.), aswell as available Wi-Fi modules (e.g., 116, 124, 216). In someembodiments, alternative WFA interfaces are available for devicemanagement, including, without limitation, Open Mobile Alliance DeviceManagement (OMA-DM) and SOAP XML. Exemplary provisioning for wirelesselectronic device 302 may include, without limitation, non-SIMcredentials, such as Wi-Fi and C4MI certificates or CA certificates,SSID settings, and or operator policies for network selection

In some embodiments of flow process 300, Wi-Fi provisioning and datamodel parameters include subscription definitions and network selectioncriteria per subscription. A subscription definition may include,without limitation: credentials such as a username and password, a SIM,or a device certificate; an authentication protocol, such as EAP-SIM,EAP-AKA, EAP-AKA′, EAP-TLS, or EAP-TTLS with MSCHAPv2, PAP, or GenericToken Card (GTC); Wi-Fi Protected Access 2 (WPA2) Anonymous identity; aCA certificate; a subscription duration, including an expiration date, atime usage limit, and/or a volume usage limit; and a subscriptionpriority. Network selection criteria may include, without limitation: ahome network fully qualified domain name (FQDN); a prioritized preferredroaming partner list by realm or mobile network operator (MNO)identifier, such as mobile country code (MCC) and/or mobile network code(MNC); a consortium ID; a preferred SSID; and excluded SSID; a minimumbackhaul threshold; and a maximum basic service set (BSS) loadthreshold. According to the exemplary embodiments herein, the presentsystems and methods advantageously allow a network operator to pushdevice provisioning, including credentials, over a standard Passpointinterface.

The present systems and methods further allow for improvedinteroperability of multiple general-purpose and purpose-built devicesacross a multi-tiered network structure, by implementing a noveltwo-phase authentication scheme utilizing C4MI devices securityspecifications with Passpoint 2.0 certificate based authentications.Such C4MI devices security specifications may include, withoutlimitation, X.509 devices certificate profiles, X.509 user certificateprofiles, a Public Key Infrastructure (PKI) hierarchy identifying achain of trust, secure software download requirements for medicaldevices, and/or secure certificate injection requirements on medicaldevice manufacturers. Present systems and methods further advantageouslyprovide for improved PKI management, including, without limitation,processes for certifying that particular purpose-built devices complywith C4MI specifications, a certification board for setting securitypolicies and making pass/fail decisions, a trusted certificate issuancesystem from third-party providers, and active PKI monitoring andpolicing against compromises or attacks.

Exemplary embodiments of automated network attachment systems andmethods are described above in detail, and more particularly with regardto two-phase device authentication for wireless devices. The systems andmethods of this disclosure though, are not limited to only the specificembodiments described herein, but rather, the components and/or steps oftheir implementation may be utilized independently and separately fromother components and/or steps described herein.

Although specific features of various embodiments of the disclosure maybe shown in some drawings and not in others, this convention is forconvenience purposes and ease of description only. In accordance withthe principles of the disclosure, a particular feature shown in adrawing may be referenced and/or claimed in combination with features ofthe other drawings.

Some embodiments involve the use of one or more electronic or computingdevices. Such devices typically include a processor or controller, suchas a general purpose central processing unit (CPU), a graphicsprocessing unit (GPU), a microcontroller, a reduced instruction setcomputer (RISC) processor, an application specific integrated circuit(ASIC), a programmable logic circuit (PLC), a field programmable gatearray (FPGA), a digital signal processing (DSP) device, and/or any othercircuit or processor capable of executing the functions describedherein. The processes described herein may be encoded as executableinstructions embodied in a computer readable medium, including, withoutlimitation, a storage device and/or a memory device. Such instructions,when executed by a processor, cause the processor to perform at least aportion of the methods described herein. The above examples areexemplary only, and thus are not intended to limit in any way thedefinition and/or meaning of the term “processor.”

This written description uses examples to disclose the embodiments,including the best mode, and also to enable any person skilled in theart to practice the embodiments, including making and using any devicesor systems and performing any incorporated methods. The patentable scopeof the disclosure is defined by the claims, and may include otherexamples that occur to those skilled in the art. Such other examples areintended to be within the scope of the claims if they have structuralelements that do not differ from the literal language of the claims, orif they include equivalent structural elements with insubstantialdifferences from the literal language of the claims.

What is claimed is:
 1. A method for automatically attaching a firstelectronic device operating at a first location to a provider networkoperating at a second location, the method comprising the steps of:discovering, by a communication module of the first electronic device, acommunication data network in operable communication with the providernetwork; selecting, via the communication module, the communication datanetwork; transmitting a primary authentication certificate from thecommunication module to an authentication server of the providernetwork; receiving, by an application server of the provider network, asecondary authentication certificate from a functionality moduleassociated with the first electronic device; authenticating, by theprovider network, the primary and secondary authentication certificates;and attaching the first device to the provider network, wherein thefirst location is one of (i) within an operational vicinity of theprovider network at the second location, and (ii) outside of theoperational vicinity of the provider network.
 2. The method of claim 1,wherein the first device is a medical device and the provider network isassociated with a clinical network.
 3. The method of claim 2, whereinthe step of attaching comprises attaching the medical device to aclinical secure layer of the provider network.
 4. The method of claim 3,further comprising the step of provisioning an enterprise client deviceto an enterprise secure layer of the provider network.
 5. The method ofclaim 4, wherein the step of provisioning comprises transmitting aprimary authentication from the enterprise client device to theauthentication server of the provider network.
 6. The method of claim 4,wherein the enterprise client device is a general-purpose electronicdevice.
 7. The method of claim 1, further comprising the step ofprovisioning a wireless visitor device to a public open layer of theprovider network.
 8. The method of claim 7, wherein the wireless visitordevice is a general-purpose electronic device.
 9. The method of claim 1,wherein the primary authentication certificate is based on an accessnetwork query protocol.
 10. The method of claim 1, wherein the secondaryauthentication certificate is based on a cloud for mobile interactionplatform.
 11. The method of claim 10, wherein the secondaryauthentication certificate is received separately from the primaryauthentication certificate.
 12. The method of claim 11, wherein thesecondary authentication certificate is received over an Ethernetconnection.
 13. The method of claim 1, wherein the primary and secondaryauthentication certificates are received over one or more of a secureaccess network and a secure virtual private network.
 14. The method ofclaim 1, wherein the communication data network is a wireless network.15. The method of claim 14, wherein the wireless network is a Wi-Finetwork.